The contractor that should not be

Greetings TDWTF! I've been reading your stories for a very long time, and I wanted to share some of my own.

I work in a tiny webdev agency in Eastern Europe (yes, among other things that includes PHP every day, cue all the witty remarks). We often have more work than we can handle, so we tend to hand some of it off to contractors. This is the story of the contractor we dealt with this week.

(For those unfamiliar, LAMP/XAMPP is a package to get started with PHP. An equivalent for the Microsoft stack would be a tool that downloads and installs IIS, SQL Server Express, and a C# compiler, without Visual Studio or anything else, and then lets you start/stop/configure them. It's the recommended way to get started with PHP, but you're supposed to grow out of it...)

Despite the red flags of "what does perfect experience even mean?", "most of those frameworks weren't even out 7 years ago!", and "how can he have more framework experience than language experience?", the management decided to give him a try, because we were in a tight spot and (sadly!) there were no other candidates.

When we gave him a task, step 1 was of course to get the project running locally on his Linux Mint laptop. This did not go well:

I had to tell him how to switch to another git branch (he claimed to be familiar with git during the interview);

despite his "5 years of LAMP experience", I had to set up a vhost for the project, so that Apache would show it;

when it generated errors instead of displaying the project, I had to look at his error logs to figure out that, despite his claim to be using PHP 5.x, his XAMPP was running PHP 7;

his approach to switch to PHP 5.x was to uninstall XAMPP and install an older version that includes PHP 5.x;

during the reinstall process, MySQL user accounts were reset, so the username/password that he swore was working, in fact, wasn't;

The process above took him a whole day, as well as half of my day, and he left promising to fix his MySQL and get it running the next day (he was going to work remotely). I explained the actual task to him, which he seemed to understand okay and said he'd deliver a solution by the end of next day. I had my doubts because I did not think it was such a simple task, given his competence so far...

In the morning, he called my boss and said "I ran into a permission problem, I'm switching my laptop to Windows".

During lunch, he called me and asked how he should deliver the solution. My answer of "make a new git branch, make your changes there, and push them" was the same as the day before, but this time it brought up a counter-question "how do I do that, and do I do it in <the task management system> or <the version control system>?". He still said he would deliver it by the end of the day.

At around 1 AM, he sent us an email saying "I don't know how you want me to deliver the changes, but I'm attaching them to this email". With one attached file.

In the morning, I looked at his changes. And I lost any faith I had left. He had added 7 lines of code, and in those lines he managed to make 3 syntax errors and call two non-existent functions.

When I said that his result was unacceptable, he insisted his IDE did not show any errors. Turned out his entire process for testing was to run the IDE's static code analysis and see if it reported any problems. I have no clue what he misconfigured to make it not show the errors, but when I pointed the actual errors out, he acknowledged them and promised to fix them by the end of the day.

Later he called again and said, quote, "I made the changes, but when I try to view them in the browser, my IDE says it can't save the project".

Fortunately, my boss (who, since this is a tiny company, is also the CEO) has decided to terminate this guy's contract on Monday.

Unfortunately, the client is insistent that this functionality must be ready in production by Wednesday. Fun times ahead!

LAMP also stands for the stack even when it's not installed from the LAMP package, to be fair. I'd assume LAMP experience meant "experience running software on a LAMP stack" if it wasn't for every other red flag on this page.

Why the fuck would anyone use LAMP? These days, a real server setup is a few apt-get commands away. It doesn't even help you setting up virtual hosts, the one thing you'd possibly want some help from a GUI. I switched over to manual setup years ago and never looked back.

You're right to consider "LAMP" experience a red flag. Kind of like if a frontend dev stated "Dreamweaver experience" in their CV.

Again, there's nothing wrong with using PhP on Apache with a MySQL database backing it and a Linux server. What's not "real" about any of that? Just because there's a package to easy-install PhP + Apache + MySQL doesn't make the experience of administrating the server any less valuable. It's not like Dreamweaver where you're isolated from having to maintain the code.

That said, this guy's obviously a moron, and his CV inspires 0 confidence.

Again, there's nothing wrong with using PhP on Apache with a MySQL database backing it and a Linux server. What's not "real" about any of that? Just because there's a package to easy-install PhP + Apache + MySQL doesn't make the experience of administrating the server any less valuable. It's not like Dreamweaver where you're isolated from having to maintain the code.
That said, this guy's obviously a moron, and his CV inspires 0 confidence.

Ugh. I wanted to rant about XAMP, WAMP and similar GUI frontends. Almost there, Cartman.

be that as it may, someone who blindly follows SO without thinking will certainly run into somone who asks them if they know they can charge their phone in the microwave, and believe them.

is that the sort of person you want as a cow-orker?

Definitely not.

Btw, I'm also one of the people who got pissed off by the manner they handle knowledge. (If it's not posted by someone on the web already, it does not exist even if it does exist for 10+ years and those affected by the problem already treated it as common knowledge)

@Yamikuronue Because you're supposed to be using nginx now! It's the new hot web server!!!

Why is this a thing? I have a developer on one of my projects who criticized the use of Apache as a reverse proxy to most of the ALM tools.

"Why not nginx?! <flourish of performance test results of Apache vs. nginx>" Uh... because a.) this server was set up at least a year and a half ago, and b.) this is a development project; I don't think we're going to be getting tens of thousands of requests a second.

I use Apache because I know how to configure it and it works. What other criteria do I really need to use?

Nginx is used in some other environments within my project; from what I've observed, it's not faster in any way that's noticeable or relevant to my end users. It may be faster in other configurations and with other workloads, but that's not as important to me.

Nginx is used in some other environments within my project; from what I've observed, it's not faster in any way that's noticeable or relevant to my end users. It may be faster in other configurations and with other workloads, but that's not as important to me.

As I said it fares better in high traffic scenarios, if you aren't in that scenario ... then it probably won't help you. As per usual it comes down to "well it depends that you are doing".

Because they both use the exact same underlying cryptography and SSL libraries. (Except with Apache you may use NSS and with nginx you mayn't.) Choice of a Web server has very little to do with security of a system, all things considered.

I dunno why you would choose to have lower potential performance when running a PHP app almost works exactly the same. In the industries I work in, Apache isn't used at all and most of the architects won't allow it even for just simple landing pages.

Because they both use the exact same underlying cryptography and SSL libraries. (Except with Apache you may use NSS and with nginx you mayn't.) Choice of a Web server has very little to do with security of a system, all things considered.

I am not talking about SSL and crypto, I am talking about the software itself.

I dunno why you would choose to have lower potential performance when running a PHP app almost works exactly the same.

Because potential performance doesn't matter to me. (I'm also not running a PHP app, so.) I work in the real world. I don't have time to optimize for conditions that don't exist. I'm going to pick the software that's best supported and that I can best maintain.

I am not talking about SSL and crypto, I am talking about the software itself.

What the fuck does that mean. There's no possible way to back that up. Web server security depends almost solely on configuration. I'll back an Apache server I've hardened against your nginx server any day of the week.

Because potential performance doesn't matter to me. (I'm also not running a PHP app, so.) I work in the real world. I don't have time to optimize for conditions that don't exist. I'm going to pick the software that's best supported and that I can best maintain.

I work in the real world too, unless my world is somehow fake. Nginx does pretty much everything better than Apache in everything that matters as far as I am concerned. I don't see why you would choose an older and obviously inferior piece of tech over something that is obviously better.

What the fuck does that mean. There's no possible way to back that up. Web server security depends almost solely on configuration. I'll back an Apache server I've hardened against your nginx server any day of the week.

Vulnerabilities applying to one of my Apache servers in the past three months: 1 (CVE-2016-5387), mitigated with a one-line configuration change. Vulnerabilities applying to Nginx in the past three months: 1 (CVE-2016-4450), mitigation requires a software upgrade.

I don't see why you would choose an older and obviously inferior piece of tech over something that is obviously better.

Obviously inferior vs. something that's obviously better. Yeah, you're exactly the same as my evangelical developer and I'm similarly done talking to you now. You have nothing to back up what you're saying.

@heterodox lol, I said my reasons why I think it is superior and all you've done is say "well I like Apache and it is good enough" ... well if that is how you do development I feel sorry for your users.

Because they both use the exact same underlying cryptography and SSL libraries. (Except with Apache you may use NSS and with nginx you mayn't.) Choice of a Web server has very little to do with security of a system, all things considered.

Because choice of crypto is all there is to Web server security, amirite?

(I don't actually use either server. I don't have a dog in this fight. Just pointing out that this argument appears kind of silly.)

Because they both use the exact same underlying cryptography and SSL libraries. (Except with Apache you may use NSS and with nginx you mayn't.) Choice of a Web server has very little to do with security of a system, all things considered.

Because choice of crypto is all there is to Web server security, amirite?

No, in fact that's the opposite of my argument. I literally just pointed out how little hardening has to do with the software (saying they were equal on that front anyway) and how much it has to do with configuration.

Didn't realize the argument was "Because it's newer and more shiny, it's inherently more secure, and things that are older → better battle-tested and better documented are inherently less secure."